[Full-Disclosure] Mcafee Spamkiller 5 spam filter bypass
From: Gregh (chows_at_ozemail.com.au)
To: "Disclosure Full" <firstname.lastname@example.org> Date: Fri, 16 Jul 2004 14:23:12 +1000
This one reported to Mcafee a short time ago, this day. They don't see it as
a bug, however.
Enter a valid name into your FRIENDS list. Say "John" (email@example.com)
is the entry. Now put an entry in ACCEPTING email from any email address
where the received line has a certain phrase in it. Eg, you may wish to put
"Netsys" for example. Now, any email that comes in with the name "John" so
long as it has "Netsys" in received will be accepted not because of the
presence of "Netsys" but will be received and accepted by Spamkiller 5 and
marked as having come from firstname.lastname@example.org even when the John in question
will be a totally different From address.
So what does this mean?
If spammers can figure out a way to insert the letter "a" into your accepted
rules and keep on sending FROM names (not from ADDRESSES) using the same
name as one already in your friends list, you can bypass spamkiller's other
entries entirely, thus making it totally useless. Now as most Western
hemisphere people know a person called "John" or "Joan" and as most people
don't supply surnames with their first name in email, all it is going to
take for Spamkiller to be bypassed is for spammers to figure out how to
insert a rule into spamkiller 5 accepting any email that has a RECEIVED line
with the letter "a" in it and make sure that they have a spoofed RECEIVED
with that letter in it.
So please tell me - if anyone knows - why the HELL pay for Spamkiller when
it is so easy to bypass? Damned if I know why I did, now!
Full-Disclosure - We believe in it.